Really big symmetric keys

I recently came across an interesting security product, although it's not exactly "interesting" in the sense that I might want to buy and use it. This particular product is CRYPTETO from Hawthorne Davies, a UK vendor of encryption technology. Here's what they claim:

The strongest Diplomatic Standard Algorithm key strength is Hawthorne Davies’ TOUAREG Encryption Algorithm used in CRYPTETO. It uses a session key equivalent to 49,152 bits.

Let's assume that this is true and that they're using a public-key algorithm to transport or otherwise protect these keys. According to the formula that NIST uses in Section 7.5 the Implementation Guidance for FIPS 140-2, it would take an RSA key with slightly more than 15 billion bits to give the same strength as a 49,152-bit symmetric key. Operations on an RSA key that big are totally impractical, so they're definitely not using RSA for key transport.

Maybe they use an elliptic-curve scheme for key transport. If that's the case, it would still take an elliptic-curve key with slightly less than 100,000 bits to give the same strength. That's also impractical, so I don't think that they're doing that either.

This leads me to believe that one of two things is true: either they're using a key much weaker than one with 49,152-bits of strength for key management, or they're using no public-key technology for key management at all. If the first is true, then the CRYPTETO system doesn't really provide 49,152-bits of strength. In this case, its cryptographic strength is limited by the size of the public keys that it uses, and these are almost certainly provide much less than 49,152 bits of strength.

If the second is true, then key management is going to be a serious headache for user of the CRYPTETO system. They won't even be able to use SSL to securely transport keys. I doubt that's the case, so we can probably assume that CRYPTETO doesn't provide anywhere near 49,152 bits of strength, and that the claim that is uses a session key that's the equivalent of 49,152 bits is nothing more than a red herring designed to distract and impress potential customers with information that's really not very relevant.

Leave a Reply

Your email address will not be published. Required fields are marked *